Skip to main content
COMPREHENSIVE AUDIT

Complete Data Harvesting Audit

Systematic reverse engineering of Facebook iOS v345.0 across 61 frameworks, cataloging every category of user data collected, the mechanisms used to harvest it, and the infrastructure that routes it to Meta's servers.

61
Frameworks
10
Data Categories
50+
Analytics Loggers
5
API Endpoints
6
Background Modes

The 8 Most Alarming Findings

Shadow permission systems, DEFCON remote control, privacy counter -- the findings that shocked us most

Biometric & Facial Surveillance

FBCameraFramework - 80,212 functions, 316,588 symbols

CRITICAL

Face Detection with 4 Embedded ML Models

Proprietary ML models embedded in the binary for on-device face analysis:

face_detector_model.bin

Initial face detection - finds faces in frame

face_tracker_model.bin

Continuous face tracking across frames

features_model.bin

Facial feature extraction for recognition

pdm_multires.bin

Point Distribution Model - facial landmark fitting

Binary reference at 0x007159e0:

FUN_007159e0 -> loads face_detector_model.bin, face_tracker_model.bin, features_model.bin, pdm_multires.bin

Iris Tracking, Expression & Gesture Recognition

MSQRD engine (acquired 2016) provides real-time face analysis:

IRIS
msqrd::iris_tracking_module::IrisTrackingModule

Tracks iris position via EyeballCenterPositionAction

EXPR
msqrd::IFacialExpressionFittingFactory

Analyzes facial expressions, fitting emotional state models

GEST
msqrd::capabilities::facialGestureRecognition

Recognizes smiles, nods, blinks, and other gestures

MOVE
FacialMovementsModule

initWithTrackerMode:setHighPolyMode:maxDetectionScales:setUseEarTracker:setUseIrisTracker:setUseFacialGestures:

Body Analysis: Hands, Skeleton, Segmentation

Hand Tracking

hand_tracking_v2::HandTrackingConfigRingTryOnDataProviderConfiguration

Full hand pose with virtual try-on for retail

Body Skeleton

msqrd::scene::SkeletonCollectorSkeletonJointsTransformCollector

Joint-level body pose tracking

Person/Hair Segmentation

PersonSegmentationDataProviderCreatorHairSegmentationDataProviderCreator

PyTorch-powered pixel segmentation

Location & Environmental Tracking

FBLocationComponentsFramework + main binary

CRITICAL

Background Location with Unauthenticated Access

Location API accepts requireBackgroundAccess and requireUnauthenticatedAccess - tracking without a logged-in session.

initWithProductID:privacyID:desiredAccuracy:desiredFreshness:
  requireBackgroundAccess:(BOOL)background    // persistent tracking
  requireUnauthenticatedAccess:(BOOL)noAuth   // without login
  onLocationUpdate:onError:queue:session:
latitude / longitudeDouble-precision GPS
speed / heading / altitudeMovement vector
network_ssid / wifiBSSIDWiFi fingerprinting
placeVisits / location_age_msVisit detection

Location Batch Upload & BLE Beacons

GraphQL Upload

LocationBatchUpload
__FBAppJobStartLocationBatchUpload

Fleet Beacon (BLE Scanning)

FBCLBeaconScan / FBCLBeaconCache
FBFleetBeaconTriggerFactory
FBFleetBeaconLiveQueryAppJob

Audio Surveillance Pipeline

FBAudioFramework - 1,797 functions

CRITICAL

Real-Time Speech Transcription via Shortwave

LIVE STREAMING ENDPOINT
wss://shortwave.facebook.com/v2/vp/recognition

Pipeline: AudioUnitRender capture -> Opus encoding (FBSpeechHelperEncodingOpusConverter) -> HTTP/2 WebSocket -> Server transcription -> didReceiveTranscription:isFinal:

All 6 Background Execution Modes Declared

audio
voip
location
fetch
processing
remote-notification

Key methods: enableBackgroundAudio, forceUpdateAudioSession, speechRecorder:didCaptureAudioData:

Contact & Social Graph Mining

Continuous Contact Upload (CCU) + PYMK

HIGH

Continuous Contact Upload (Not One-Time)

Your address book is re-uploaded continuously, not just once:

shared_continuous_contact_upload

Cross-session CCU service

schedule_contact_importer_trigger_during_session

Auto-trigger during active sessions

ContactBatchUploadMutation

GraphQL batch upload mutation

ContactUploadSessionCreateAndMaybeBatchUploadMutation

Session creation + upload combo

PYMK (People You May Know) - 30+ Symbols

pymk_email PymkCandidatePriorityCache netego_pymk pymk_add / pymk_xout pymk_imp NOTIF_PYMK private.stories.pymk

sendFriendRequestToPerson:howFound:reference:pymkLocation: tracks exactly HOW each friend was discovered.

Behavioral Profiling & Tracking

50+ specialized analytics loggers

HIGH

Dwell Time

DWELL_TIME / AD_DWELL_TIME
dwell_time_threshold / dwell_timer_reached
BOOSTED_B2C_DWELL_TIME_STICKY_CTA

Time Spent

TIME_SPENT_ON_SCREEN / BACKGROUND_TIME_SPENT
ACTIVE_TIME_SPENT / INACTIVE_TIME_SPENT
ios_background_task_time_by_name_spent_per_hour

Viewport & Impressions

FBSetupViewportImpressionTracking
FBHScrollImpressionLogging
display_pixel_luminance_average

15+ Parallel Sessions

app_session_id / lifecycle_session_id
search_results_session_id / typeahead_session_id
waterfall_session_id / funnel_session_id

50+ Analytics Loggers

FBFunnelLogger FBAdTrackingManager FBPayUPLLogger FBUsageTimeLogger FBProfileEngagementLogger FBAnalyticsLoggerForMQTT FBVideoFeedAdsAnalyticsLogger FBSSLKeyMaterialLogger FBAutomatedLoggingHandlerNativeModule FBGraphMessageSendAnalyticsLogger

Device Fingerprinting & Cross-App Tracking

HIGH

Cross-App Family ID

FBAnalyticsFamilyDeviceID

Links device across Facebook, Instagram, WhatsApp

Global Client ID

ONE_WORLD_CLIENT_ID

Universal identifier across Meta infrastructure

IDFA with ATT Bypass

ios_idfa_access_on_new_plaforms.allowedios_idfa_runtime_checks.enabled

Remote flags control IDFA access behavior

Encrypted RTB Cookie Sync

FBEncryptedUIDRtbIDQueryencryptedCookieSyncUidRtbid

Encrypted user ID shared with ad exchanges

Clipboard & Device State

Clipboard Access

generalPasteboard (3 call sites)
PasteboardKeyImageToFb / VideoToFb
PasteboardKeyAppId (source app ID)

Device State Collection

Battery (25 refs) / Carrier (25 refs)
Locale/Language (60 refs) / Keychain (17 refs)
Disk space / Time zone

Network & Connectivity Surveillance

Network Metadata Mega-Function (0x100139a88)

One function collects all network parameters in a single pass:

transport_type / network_type
ip_address / server_ip_address
proxy_host / proxy_connect
DNSResolution / DNSCache / DNSConnect
TCPConnect / TLSSetup / FizzConnect
QuicConnect / ReplaySafety

Insecure HTTP Exceptions

h.facebook.com- Insecure HTTP allowed
od.fbinfra.net (+ all subdomains)- Insecure HTTP allowed

Data Transport & Exfiltration

5 Hardcoded API Endpoints

api.facebook.comPrimary REST API
b-api.facebook.comBatch API
graph.facebook.comGraph API
b-graph.facebook.comBatch Graph API
lithium.facebook.comInternal codename

Transport Protocols

MQTT (30+ refs)

Persistent real-time analytics via FBAnalyticsLoggerForMQTT

GraphQL Mutations

Batch: ContactBatchUploadMutation, LocationBatchUpload

WebSocket

Live audio to wss://shortwave.facebook.com

Silent Push & Background Execution

push_notification_silent_push_received
defcon_level_updated_silent_push
cancel_logging_when_backgroundAudit trail destruction

A/B Testing & Remote Control

30+ Quick Experiment flags remotely control privacy-sensitive behaviors:

_qe_ios_location_access_kit_alert_controller

A/B tests location permission dialog variants

FBBotDetectionModule...signal_collection...on_cold_start

Signal collection on every app launch

_qe_ios_video_ads_product_logging_universe

Video ad tracking experiment

_qe_messenger_badge_count_logging

Messenger logging experiment

Privacy Suppression Infrastructure

CRITICAL

Permission Dialog Suppression

ama_hide_camera_permissions_dialog_apple_hig

Hides camera permission dialog. Value -1 = always suppress. Bypasses Apple HIG.

skip_privacy_dialog / skip_privacy_dialog_v2

Skips privacy dialogs entirely.

should_hide_microtray

Hides microphone indicator that alerts users to active recording.

cancel_logging_when_background

Disables logging when backgrounded - audit trail destruction.

privacy_settings_screen_variant (8 variants)

Privacy settings A/B tested - users see different controls.

Microphone Profiling

enable_microphone_profile
enable_kid_requested_microphone_profile

Microphone profiling specifically for children's accounts

Methodology

Static binary analysis of Facebook iOS v345.0 (build 333768490, branch fbobjc/releases/release-fbios-2021.11.18) using Ghidra with deep analysis profiles. All findings from compiled binary.

Binaries Analyzed

Facebook (main)80k+ funcs / deep
FBSharedFramework316k symbols / deep
FBCameraFramework80,212 funcs / deep
FBAudioFramework1,797 funcs / deep
FBLocationComponentsFramework2,025 funcs / deep

Techniques

  • - String analysis across all binary segments
  • - ObjC class and selector enumeration
  • - C++ symbol demangling (MSQRD, Viper, PyTorch)
  • - Function decompilation and xref analysis
  • - Info.plist and entitlement extraction
  • - GraphQL mutation discovery

This is what one app collects.

Every finding comes from symbols, strings, and code in the binary you download from the App Store. No speculation - just engineering.

View Full Evidence Take Action